Every security framework recommends an incident response plan. Most organisations have one filed somewhere, usually a document written by a consultant two years ago that nobody has read since. When a genuine incident occurs, the plan either cannot be found, references people who have left the company, or describes procedures that bear no resemblance to the current infrastructure.
Real incidents are chaotic. Systems behave unpredictably. Key personnel are unavailable. Communication channels may be compromised. The organisations that handle breaches effectively are not the ones with the thickest plan documents. They are the ones that practised their response before they needed it.
Where Plans Collapse
Communication fails first. When email and internal messaging systems are potentially compromised, teams need pre-established out-of-band communication channels. Organisations that have not tested alternative communication methods waste critical early hours trying to coordinate a response through the very systems the attacker may be monitoring.
Escalation paths break next. The plan says to contact the CISO, but the CISO left six months ago. The backup contact is on holiday. The third contact does not have the authority to make containment decisions like isolating network segments or shutting down servers. Meanwhile, the attacker continues moving laterally through the network.
Evidence preservation suffers when untrained staff attempt to investigate. Rebooting compromised systems destroys volatile memory that contains attacker artefacts. Logging into affected accounts alerts the attacker that they have been discovered. Well-intentioned actions by panicked staff can destroy the forensic evidence needed to understand the breach scope.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “The organisations that recover fastest are the ones that run tabletop exercises quarterly. They walk through realistic scenarios, identify where their plan breaks down, and fix the gaps before a real incident forces them to improvise. A plan that has never been tested is just a document. A plan that has been exercised, challenged, and refined is a genuine defensive capability.”
Building a Response Capability
Conduct tabletop exercises that simulate realistic attack scenarios. Include representatives from IT, legal, communications, and senior management. Test whether your containment procedures actually work by running them against your live environment during scheduled maintenance windows.
Pair response planning with internal network penetration testing that maps the attack paths an adversary would follow. Understanding how an attacker moves through your network allows you to pre-position monitoring, define containment boundaries, and build detection rules that trigger early enough to limit damage.
Review and update your plan quarterly. Check contact details, verify that referenced tools and systems still exist, and confirm that documented procedures reflect your current infrastructure. Request a penetration test quote to combine testing with a response exercise that gives your team realistic practice under controlled conditions.
Incident response is a skill that degrades without practice. Invest in exercises now so that when the real call comes at three in the morning, your team knows exactly what to do.
